On the eve of the reported settlement of the Flash cookie litigation by Quantcast and Clearspring, Covington alum Kashmir Hill reports at Forbes about an online practice that could be the next “Flash cookie” among privacy advocates: web history sniffing.
According to the Complaint (PDF) filed last week in federal court in California, a Netherlands company called Midstream Media illicitly collected information about users’ web histories on its network of “YouPorn” websites. The litigation claims that Midstream used a JavaScript security flaw to determine whether particular pages had been visited by particular browser, apparently to track which users had also visited its competitors’ sites.
Like other online privacy litigation litigation that we’ve seen this year, the Midstream plaintiffs’ case relies on state consumer protection statutes and the Computer Fraud and Abuse Act, or CFAA — which existed long before both history sniffing and video streaming. Even with the creative license that comes from extending these laws to the Internet, it’s not at all clear that the plaintiffs will be able to succeed.
The gist of the CFAA claim is that Midstream violated federal law by “exceeding the scope of [its] authorization” to access users’ computers. But the plaintiffs may have an uphill climb on this claim because the CFAA generally requires plaintiffs to prove at least $5,000 in damages as a result of the defendant’s actions. While courts and regulators have agreed on their importance of protecting individual privacy, courts have been reluctant to find that disclosure of private information about an individual, by itself, has an economic cost.
Another important allegation in the Midstream complaint is that the websites allegedly tried to hide what they were doing from users, using a letter-substitution code to prevent people who looked at their sites’ JavaScript from understanding what the program was doing. Last week’s release of the FTC’s privacy report emphasized the growing expectation that website operators will explain to users what information is being collected about them.
As the trend toward privacy regulation increases in the United States, this means that companies that operate websites will need to spend more time assessing what information various parts of their website collect and how they should best communicate that information to users.